mkdir -p /opt/scripts
mkdir -p /var/log/custom
mkdir -p /var/root/Library/LaunchAgents
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/auth-log.sh' -o /opt/scripts/auth-log.sh
chmod +x /opt/scripts/auth-log.sh
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/com.apple.auth-log.plist' -o /var/root/Library/LaunchAgents/com.apple.auth-log.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.auth-log.plist
launchctl start -w /var/root/Library/LaunchAgents/com.apple.auth-log.plist
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/cleanup.sh' -o /opt/scripts/cleanup.sh
chmod +x /opt/scripts/cleanup.sh
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/com.apple.auth-log.plist' -o /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
sed -i '' s/com.apple.auth-log.plist/com.apple.auth-log-cleanup.plist/g /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
sed -i '' s/auth-log.sh/cleanup.sh/g /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
launchctl start -w /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
Last active
March 19, 2023 21:00
-
-
Save heywoodlh/0295135b9e24ec0729571497c9ab5a77 to your computer and use it in GitHub Desktop.
Auth logging on MacOS using the log command
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
##Logs will be separated by date | |
DATE="$(date +%Y-%m-%d)" | |
CUSTOM_LOGFILE="/var/log/custom/"$DATE"-auth.log" | |
##Stream log events with keywords to "$CUSTOM_LOGFILE" | |
log stream -predicate 'eventMessage contains "authd" or eventMessage contains "su" or eventMessage contains "authorizationhost" or eventMessage contains "login" or eventMessage contains "SecurityAgent"' >> "$CUSTOM_LOGFILE" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
## Clean up files older than 7 days to conserve space | |
find /var/log/custom/ -mindepth 1 -mtime +7 -delete |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" | |
"http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>Label</key> | |
<string>com.apple.auth-log.plist</string> | |
<key>ProgramArguments</key> | |
<array> | |
<string>/opt/scripts/auth-log.sh</string> | |
</array> | |
<key>OnDemand</key> | |
<false/> | |
<key>Nice</key> | |
<integer>1</integer> | |
<key>StartInterval</key> | |
<integer>60</integer> | |
</dict> | |
</plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment